From 4b8cf1e2411b828249c32e9f9643e027e0bfca44 Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Thu, 22 Jun 2017 10:55:51 +0200
Subject: separate mirrorlist for i686 and x86_64

---
 arch-nspawn.in | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

(limited to 'arch-nspawn.in')

diff --git a/arch-nspawn.in b/arch-nspawn.in
index b9c846e..a5e1957 100644
--- a/arch-nspawn.in
+++ b/arch-nspawn.in
@@ -58,9 +58,28 @@ else
 	cache_dirs=("$cache_dir")
 fi
 
+if [[ -n $makepkg_conf ]]; then
+	eval "$(grep -a '^CARCH=' "$makepkg_conf")"
+else
+	eval "$(grep -a '^CARCH=' "$working_dir/etc/makepkg.conf")"
+fi
+
 pacconf_cmd=$(command -v pacman-conf || command -v pacconf)
-# shellcheck disable=2016
-host_mirror=$($pacconf_cmd --repo extra Server 2> /dev/null | head -1 | sed -r 's#(.*/)extra/os/.*#\1$repo/os/$arch#')
+if [[ ! "$CARCH" = 'x86_64' ]]; then
+	host_mirror="$(
+		sed -n '
+			/^\s*Server\s*=/{
+				s/^.*=\s*//
+				s/\s*\(#.*\)\?$//
+				p
+				q
+			}' \
+			'/etc/pacman.d/mirrorlist32'
+	)"
+else
+	# shellcheck disable=2016
+	host_mirror=$($pacconf_cmd --repo extra Server 2> /dev/null | head -1 | sed -r 's#(.*/)extra/os/.*#\1$repo/os/$arch#')
+fi
 # shellcheck disable=2016
 [[ $host_mirror == *file://* ]] && host_mirror_path=$(echo "$host_mirror" | sed -r 's#file://(/.*)/\$repo/os/\$arch#\1#g')
 
@@ -81,7 +100,9 @@ build_mount_args() {
 
 copy_hostconf () {
 	cp -a /etc/pacman.d/gnupg "$working_dir/etc/pacman.d"
-	echo "Server = $host_mirror" >"$working_dir/etc/pacman.d/mirrorlist"
+	echo "Server = $host_mirror" | \
+		tee "$working_dir/etc/pacman.d/mirrorlist" > \
+		"$working_dir/etc/pacman.d/mirrorlist32"
 
 	[[ -n $pac_conf ]] && cp "$pac_conf" "$working_dir/etc/pacman.conf"
 	[[ -n $makepkg_conf ]] && cp "$makepkg_conf" "$working_dir/etc/makepkg.conf"
@@ -108,8 +129,6 @@ fi
 build_mount_args
 copy_hostconf
 
-eval "$(grep -a '^CARCH=' "$working_dir/etc/makepkg.conf")"
-
 [[ -z $nosetarch ]] || unset CARCH
 
 exec ${CARCH:+setarch "$CARCH"} systemd-nspawn -q \
-- 
cgit v1.2.3-54-g00ecf


From b6bbb4fb186bde7b33e8141831643bddd0fb38a3 Mon Sep 17 00:00:00 2001
From: Brian Bidulock <bidulock@openss7.org>
Date: Sat, 18 Nov 2017 22:53:37 -0700
Subject: arch-nspawn should not take pacman cache from host

Previously, arch-nspawn was using the hosts' pacman cache in
the chroot even when the chroot was set up with a different
cache by mkarchroot, unless specified with the -c flag.
Problem is that makechrootpkg passes no -C, -M nor -c flags
to arch-nspawn, so all values must be obtained from the
working directory.

This change take the cache directories from the pacman.conf
specified with the -C option unless the -c option was given
(as is the case when the chroot is set up with mkarchroot),
and, when neither -C nor -c is given (as is the case when
invoked by makechrootpkg), the cache directory is taken
from the pacman.conf in the working directory.

This wasn't such an issue when i686 was mainline, however,
which building packages in a chroot against archlinux32 on
an x86_64 platform, the cache of the host should _never_ be
used.
---
 arch-nspawn.in | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'arch-nspawn.in')

diff --git a/arch-nspawn.in b/arch-nspawn.in
index a5e1957..79cff1a 100644
--- a/arch-nspawn.in
+++ b/arch-nspawn.in
@@ -53,7 +53,11 @@ shift 1
 [[ -z $working_dir ]] && die 'Please specify a working directory.'
 
 if [[ -z $cache_dir ]]; then
-	cache_dirs=($(pacman -v 2>&1 | grep '^Cache Dirs:' | sed 's/Cache Dirs:\s*//g'))
+	if [[ -z $pac_conf ]]; then
+		cache_dirs=($(pacman --config "$working_dir/etc/pacman.conf" -v 2>&1 | grep '^Cache Dirs:' | sed 's/Cache Dirs:\s*//g'))
+	else
+		cache_dirs=($(pacman --config "$pac_conf" -v 2>&1 | grep '^Cache Dirs:' | sed 's/Cache Dirs:\s*//g'))
+	fi
 else
 	cache_dirs=("$cache_dir")
 fi
-- 
cgit v1.2.3-54-g00ecf


From a800df3fbc55204f66f54248aaf87ba797307f96 Mon Sep 17 00:00:00 2001
From: Eli Schwartz <eschwartz@archlinux.org>
Date: Sat, 1 Dec 2018 19:36:23 -0500
Subject: arch-nspawn: don't delete the guest gpg configuration

It's important to ensure the guest has up to date data because updating
a chroot after quite some time can potentially rely on updated
archlinux-keyring, something which the host machine either kept up to
date on or manually fixed, but it kills automation to mess around with
chroot configs like that. Alternatively, signed packages added with -I
need to work, and we assume the host is configured to accept these.

That is *not* a good reason to completely nuke whatever is in the guest,
though. A guest might have been manually configured to accept keys which
aren't accepted by the host; one example of this happening in practice,
is archlinux32 when building 32-bit packages from an archlinux host.

A simple solution is to use pacman-key's native facility to dump the
known keys and trust status from one gpg configuration, and import it
into another. Use this to append to, rather than overwrite, the chrooted
guest's pacman keyring.

While we are at it, fix a bug where we didn't respect the host's
pacman.conf settings for the GpgDir. While it isn't wildly likely a user
will choose to customize this, it is a valid and supported use case and
we must think about this ourselves.
---
 arch-nspawn.in   | 3 ++-
 makechrootpkg.in | 3 +++
 mkarchroot.in    | 2 ++
 3 files changed, 7 insertions(+), 1 deletion(-)

(limited to 'arch-nspawn.in')

diff --git a/arch-nspawn.in b/arch-nspawn.in
index 79cff1a..7132885 100644
--- a/arch-nspawn.in
+++ b/arch-nspawn.in
@@ -103,7 +103,8 @@ build_mount_args() {
 }
 
 copy_hostconf () {
-	cp -a /etc/pacman.d/gnupg "$working_dir/etc/pacman.d"
+	gpg --homedir "$working_dir"/etc/pacman.d/gnupg/ --no-permission-warning --quiet --batch --import --import-options import-local-sigs "$(pacman-conf GpgDir)"/pubring.gpg >/dev/null 2>&1
+	pacman-key --gpgdir "$working_dir"/etc/pacman.d/gnupg/ --import-trustdb "$(pacman-conf GpgDir)" >/dev/null 2>&1
 	echo "Server = $host_mirror" | \
 		tee "$working_dir/etc/pacman.d/mirrorlist" > \
 		"$working_dir/etc/pacman.d/mirrorlist32"
diff --git a/makechrootpkg.in b/makechrootpkg.in
index f606df0..adaa758 100644
--- a/makechrootpkg.in
+++ b/makechrootpkg.in
@@ -221,6 +221,9 @@ _chrootbuild() {
 	# shellcheck source=/dev/null
 	. /etc/profile
 
+	# otherwise we might have missing keys
+	pacman-key --populate
+
 	# Beware, there are some stupid arbitrary rules on how you can
 	# use "$" in arguments to commands with "sudo -i".  ${foo} or
 	# ${1} is OK, but $foo or $1 isn't.
diff --git a/mkarchroot.in b/mkarchroot.in
index a916f2a..df995a8 100644
--- a/mkarchroot.in
+++ b/mkarchroot.in
@@ -93,6 +93,8 @@ echo "$CHROOT_VERSION" > "$working_dir/.arch-chroot"
 
 systemd-machine-id-setup --root="$working_dir"
 
+pacman-key --gpgdir "$working_dir"/etc/pacman.d/gnupg --init
+
 exec arch-nspawn \
 	${nosetarch:+-s} \
 	${pac_conf:+-C "$pac_conf"} \
-- 
cgit v1.2.3-54-g00ecf